WordPress: Stored XSS on Wordpress 5.3 via Title Post

I have identified a WordPress security vulnerability , a Stored XSS vulnerability that affects latest version of WordPress 5.3 POC: 1 Login to wordpress website 2 Make a post with title payload xss like example alertdocument.domain; 3 Publish then open the post, XSS Will trigger Impact Can steali...

Nord Security: No Rate Limit On Forgot Password Page Of NordVPN

Introduction A little bit about Rate Limit: A rate limiting algorithm is used to check if the user session or IP-address has to be limited based on the information in the session cache. In case a client made too many requests within a given timeframe, HTTP-Servers can respond with status code 429...

Grammarly: Previously created sessions continue being valid after MFA activation

Hi team, I found one issue related to your 2FA system on https://account.grammarly.com/security POC 1 access the same account on https://account.grammarly.com in two devices 2 on device 'A' go to https://account.grammarly.com/security complete all steps to activate the 2FA system Now the 2FA is...

GitLab: SSRF vulnerability in gitlab.com webhook

1、 Login to your GitLab account and create a new project, then go to--https://gitlab.com/username/project/settings/integrations 2、 You can add url to ssrf.following are the steps to reproduce: If you enter http://127.0.0.1:80/haha.txt as url,we will get --Hook executed successfully but returned...

Snapchat: Stealing SSO Login Tokens (snappublisher.snapchat.com)

Description Attacker can steal SSO login tokens for snappublisher.snapchat.com by chaining different flaws in SSO and Snapchat’s Snappublisher tool. Detailed attack flow is as follows. Attack Flow 1.. Snapchat fetches a SSO LOGIN TOKEN from accounts.snapchat.com to login into different products o...

Brave Software: [iOS/Android] Address Bar Spoofing Vulnerability

Hello, I am Aaditya Purani, I would like to Report Address Bar spoofing vulnerability in Brave Browser on the IOS as well as Android Platform. All the Test have been carried out against Latest Brave Browser whose versions i have mentioned in Products affected section. Summary: Brave Browser Suffe...

ownCloud: DROWN Attack

Hi, I want to report a drown attack in .owncloud.com. A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable serve...

Internet Bug Bounty: CVE-2022-21831: Possible code injection vulnerability in Rails / Active Storage

Original report: https://hackerone.com/reports/1154034 Rails advisory: https://discuss.rubyonrails.org/t/cve-2022-21831-possible-code-injection-vulnerability-in-rails-active-storage/80199 Blogpost:...

Internet Bug Bounty: CVE-2022-27779: cookie for trailing dot TLD

Published Advisory: https://curl.se/docs/CVE-2022-27779.html Original Report: https://hackerone.com/reports/1553301 Impact This can allow arbitrary sites to set cookies that then would get sent to a different and unrelated site or domain. ie. conduct session fixation attacks...

TikTok: IDOR the ability to view support tickets of any user on seller platform

Due to an Insecure Direct Object Reference IDOR vulnerability, an attacker could have potentially viewed support tickets on seller platform. We thank @lewaperbb for reporting this to our team...

Affirm: Subdomain takeover due to non registered TLD [ ██████████.█████.██████.com ]

Summary: I was looking at recent disclosed report 1297689 and I was thinking to take a look for the same issue on this asset as I love to test for subdomain takeover vulnerabilities. While testing I noticed a DNS entry for ███████.████.██████████.com is CNAME ████.███████████ which's TLD is not...

Shopify: [h1-2102] FQDN takeover on all Shopify wholesale customer domains by trailing dot (RFC 1034)

Summary: Due to a missing domain format check in Shopify's wholesale functionality, it is possible to serve arbitrary content on the customer's domain through existing DNS records already configured to work with Shopify. I only tested with domains that I own but as far as I understand, this would...

Shopify: Ability to publish a paid theme without purchasing it.

Hi, Description I kept looking for alternatives to my report 927567 and I found another way to publish a paid theme without having to purchase it. This time the trick is to send "ThemePublishLegacy" XHR request while the theme is being installed. Requirements 1. Google Chrome suggested because...

Stripo Inc: Unrestricted File Upload on https://my.stripo.email and https://stripo.email

Hi Stripo Inc, I found 2 Unrestricted File Upload Vulnerabilities on your website. First Vulnerability: Step to Reproduce 1. Create an account in "https://my.stripo.email" 2. Simply Download a php shell from internet and open with text editor. ex: r57 shell 3. Then save it as JPEG file. 4. Go bac...

Node.js third-party modules: [tree-kill] RCE via insecure command concatenation (only Windows)

I would like to report a RCE issue in the tree-kill module. It allows to execute arbitrary commands remotely inside the victim's PC Module module name: tree-kill version: 1.2.1 npm page: https://www.npmjs.com/package/tree-kill Module Description Kill all processes in the process tree, including t...

Chaturbate: Blind SSRF on image proxy camo.stream.highwebmedia.com

The hacker discovered that our secure image proxy camo.stream.highwebmedia.com could be used to access https endpoints on internal ips. The application was patched to not allow access to internal ips. In this case these servers are in a separate cluster with no access to other services so possibl...

X (Formerly Twitter): [dev.twitter.com] XSS and Open Redirect Protection Bypass

Description: Hi after I finish reading the report https://hackerone.com/reports/260744.i start to test this subdomain.i fount an interesting url https://dev.twitter.com/web/sign-inhttps://dev.twitter.com/basics/adding-international-support-to-your-apps.this url is special,my intuition tells me th...

Node.js third-party modules: [public] Path Traversal allows to read content of arbitrary files

Hi Guys, There is Path Traversal in public module. It allows to read content of arbitrary files on the remote server. Module public Run static file hosting server with specified public dir & port. Support a "direcotry index" like Apache httpd. https://www.npmjs.com/package/public version: 0.1.2...

Semrush: Following links are vulnerable to clickjacking

NOTE! Thanks for submitting a report! Please replace all the square sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to verify and then potentially issue a bounty, so be sure to take your time filling out the report! Summary: The below list...

WordPress: Clickjacking wordcamp.org

Hello Security, Clickjacking User Interface redress attack, UI redress attack, UI redressing is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking contro...

Pornhub: Wordpress Content injection

The researcher discovered a vulnerability in an outdated version of Wordpress allowing them to edit and make new posts...

LocalTapiola: SQL Injection /webApp/sijoitustalous_peruutus locId parameter (viestinta.lahitapiola.fi)

Vulnerable script: /webApp/sijoitustalousperuutus Vulnerable parameter: locId Database: PostgreSQL PoC 1. TRUE, substrversion,1,10='PostgreSQL', Result: Ilmoittaumisesi on peruttu...

Slack: File upload XSS (Java applet) on http://slackatwork.com/

The web application supports file uploads and I was able to upload a Java Applet .class/.jar file. If a web browser loads a Java applet from a trusted site, the browser provides no security warning. If an attacker can upload a CLASS/JAR file with an applet, the file is executed even if the web...

Cloudflare: Apache mod_negotiation filename bruteforcing

Vulnerability description modnegotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error...

Khan Academy: XSS on using the legacy "Graphie To Png" API

The legacy "Graphie To Png" API was vulnerable to exploitation. An attacker could upload malicious graphies that included harmful SVG and JSON data. The SVG contained an onload attribute that executed arbitrary JavaScript. The JSON data modified the content of labels, causing the graphie renderer...

U.S. Dept Of Defense: Reflected XSS via Keycloak on ███ [CVE-2021-20323]

The Keycloak 8.0 and prior versions contained a cross-site scripting vulnerability. An attacker could have executed arbitrary script by inserting a malicious payload in the path of a POST request to the /auth/realms/master/clients-registrations/openid-connect endpoint. This allowed the server to...

Internet Bug Bounty: CVE-2023-28320 - siglongjmp race condition

A race condition vulnerability CVE-2023-28320 existed in libcurl's synchronous resolver, which could allow a multi-threaded application to crash or misbehave due to the use of a global buffer that was not mutex protected. The vulnerability could result in a denial of service...

Cloudflare Public Bug Bounty: Origin IP address disclosure through Pingora response header

HTTP responses to cached files served by the Pingora proxy revealed Origin IP address information. An attacker could trigger this misbehaviour by crafting a request with a malformed Range header. The attack was successful under conditions where Cloudflare cache was in REVALIDATED state, the...

GitHub Security Lab: [Java] CWE-094: Jython code injection

This bug was reported directly to GitHub Security Lab...

GitHub Security Lab: ihsinme: CPP Add query for CWE-691 Insufficient Control Flow Management After Refactoring The Code

This bug was reported directly to GitHub Security Lab...

Nextcloud: bypassing dashboard without account + Information disclosure trough websockets

Sumarry : I found a information disclosure for bypassing parameter url attacker can redirect to dashboard without login user/pass page and websocket can be exposed in response/dashboard. URL Effected https://support.nextcloud.com/passwordreset Steps To Reproduce: Opened directory at...

Kartpay: Misconfiguration of Merchant id in jwt header + Weird Debug mode enabling behavior leads to exposed OTP of mobile number.

The Verification email Content was able to decrypt easily and leads to disclosure of information that was supposed to be provided after account verification is completed. Secondly, For a Limited time Production was put on debug mode but it was left with it. so now it has been fixed...

Doppler VDP: Bypass Email Verification.

steps to reproduce:- 1- sign up into doppler here https://dashboard.doppler.com/register. 2- then it will go to this page https://dashboard.doppler.com/confirm and ask you to confirm your email. 3- go to source code and search for tagsconfirmemail . 4- you will find the email Verification token...

Logitech: Sensitive information disclosure to shared access user via streamlabs platform api

Summary: Hi there, Hope you are doing well and stay safe. Streamlab allows us to invite other users to manage our dashboard and cloudbot functions via following setting which named "Shared Access". https://streamlabs.com/dashboard/settings/shared-access If we invite other users with Moderator rol...

ImpressCMS: Download full backup and Cross site scripting

A backup zip file was still left on the server, which was removed. Moreover, an old unused content editor was still left and could be used by a malicious user. The unused editor has been removed as well...

Automattic: Sql injection on docs.atavist.com

hello dear team I have found SQL injection on docs.atavist.com url:http://docs.atavist.com/readerapi/stories.php?limit=10&offset=20&organizationid=88822&search=0&sort= parameters: injectable search=0 Parameter: search GET Type: AND/OR time-based blind Title: MySQL = 5.0.12 AND time-based blind...

Acronis: Ticket Trick at https://account.acronis.com

Summary Hello dear team, I found a serious issue in Acronis This vulnerability is called ticket trick vulnerability which comes under critical category. Which can allow me to login on websites like atlassian,github,clouflare,choopa,..etc on behalf of [email protected] . Steps To Reprodu...

Curve: Sensitive Info Leak - An Attacker Can Retrieve All the Users Mobile Numbers at https://website-api.production.curve.app/api/waitlist/us

Hi, When am going through all the JS files in curve.com I found a link called "/usa" is used to create Curve USA Waitlists by entering your name, email address, mobile number and address details. F874173 Then there is a functionality called "Track my Position" by using which joined users can view...

Topcoder: SSRF at https://cognitive.topcoder.com leads to AWS instance metadata due to vulnerable email subscription feature

Summary: Topcoder makes use of Amazons AWS in their web application environment. I noticed a feature that allows a user to subscribe and receive emails from Topcoder. This feature is vulnerable to server side request forgery since it allows a user to supply an arbitrary URL which the application...

U.S. Dept Of Defense: SSN is exposed on slides, previous critical report was not fixed in an appropriate way

Summary: SSN is exposed on slides, previous critical report was not fixed in an appropriate way Description: 1. SSN is exposed on a screenshot. Slide 13th. SSN is covered by an olive/green rectangle which is moveable. The image itself was not updated. ██████wp-content/uploads/2018/12/████████ 2...

Visma Public: [IDOR]Ability to edit Description of api_key's of other users.

The reasearcher was able to change the description associated with API-keys for other users on the /api/orgID/apiKey endpoint by modifying the id of the API-key in the request...

Nord Security: Expired Available Domains in nordvpn.com website code

We at NordVPN want to stress that these domains were removed not because they were a threat, but because they simply were of no use. Also, new domains were added because this is a part of our operational tasks. These changes are made every few months. THANKS @nordvpn @emanu Well I have been Doing...

Stripo Inc: subdomain takeover at status-stage0.stripo.email

The subdomain status-stage0.stripo.email was pointed at uptimerobot.com whereas it was not being used , but having Cname record as stats.uptimerobot.com . Hence anyone can takeover it. I have parked it with an account on uptimerobot.com note : this issue is similar to report but with another...

Semrush: Persistent CSV injection

Hi Team, https://www.semrush.com/notes is vulnerable to persistent csv injection stored csv injection POC: 1 Login into application and open https://www.semrush.com/notes 2 click on "Add note" button 3 And enter csv injection payloads like =4+4, =HYPERLINK"http://evil.com", "EVIL" and click on sa...

GSA Bounty: Subdomain Takeover due to unclaimed domain pointing to AWS

Note: I know this is on an out of scope domain, however felt it should still be raised as it was the only subdomain of data.gov to be vulnerable. Issue Details The consultant identified that subdomain https://18f.domains.api.data.gov/ is pointing to dn9rrjaiux2m0.cloudfront.net via a DNS CNAME...

Internet Bug Bounty: Exim handles BDAT data incorrectly and leads to crash/hang

Original article is here Incorrect BDAT data handling leads to DoS Vulnerability Analysis When receiving data with BDAT command, SMTP server should not consider a single dot ‘.’ in a line to be the end of message. However, we found exim does in receivemsg when parsing header. Like the following...

Inflection: XST(Cross Site Tracing)

Researcher reported that OPTIONS and TRACE HTTP methods are enabled. HTTP configuration best practices are not currently in scope for our HackerOne program, so we closed the report. Researcher requested that we disclose it...

Internet Bug Bounty: Mercurial can be tricked into granting authorized users access to the Python debugger

I reported this bug privately to Mercurial and they produced an out of band release to fix the bug here: https://www.mercurial-scm.org/wiki/WhatsNewMercurial4.1.3.282017-4-18.29 I produced a very detailed proof of concept with a Metasploit exploit module, which can be seen publicly here:...

ownCloud: Outdated Jenkins server hosted at OwnCloud.org

Summary: The target OwnCloud's server is running an outdated version of Jenkins server which is vulnerable to various attacks. Server Location: https://ci.owncloud.org Vulnerable Software: Jenkins ver. 2.27 Proof of Exploitability CVE-2016-3727 POC URL:...

Internet Bug Bounty: Integer overflow in ftp_genlist() resulting in heap overflow

https://bugs.php.net/bug.php?id=69545 Description: ------------ The ftpgenlist function of the ftp extension is prone to an integer overflow, which may result in remote code execution. ext/ftp/ftp.c:ftpgenlist... 1826 size = 0; 1827 lines = 0; 1828 lastch = 0; 1829 while rcvd = myrecvftp, data-fd...